RE: Whois 172/12

["Keith Medcalf" <kmedcalf () dessus com>]

As port 137 is the Netbios Name Service port are you *sure* this is a port scan and not a windows box (or other OS 
running NetBIOS crud) that simply has fat-fingered addresses configured?


---
()  ascii ribbon campaign against html e-mail
/\  www.asciiribbon.org


> -----Original Message-----
> From: Ted Fischer [mailto:ted () fred net]
> Sent: Sunday, 15 January, 2012 01:20
> To: nanog () nanog org
> Subject: Re: Whois 172/12
>
> Thanks for the replies so far, but not what I was looking for.
>
> I should have specified that I've done several ns & dig lookups just to
> make sure.
>
> We were supposed to have lit up the last of IPv4 last year.  I would have
> presumed that meant that there was nothing left.  Since I can't find a
> reference to 172/12 anywhere, one might be led to presume that it was
> allocated somehow, to someone (perhaps inadvertently not recorded) since
> there are - supposedly - no fresh IPv4 addresses left to allocate, and the
> only reference to this block is that 172/8 is allocated to ARIN.  It
> doesn't even appear in RFC 5735.
>
> We all know about 172.16/12 - nothing left of that horse but glue.
>
> My question is about 172/12.  Where is it, what is it's supposed purpose.
> I'm almost sure it's an internal box.  I just find it better to give a
> professional answer to "why can't I use this" than just "you can't use
> this and why is this address scanning you for udp/137 anyway".
>
> If someone can point out to me what was done with 172/12 I'd appreciate it.
>
>
> Patrick opined:
> > Read RFC1918.
>
>   I didn't remember seeing anything about 172/12 in RFC1918.  Looked at it
> again.  Is there something about 172/12 I missed?  Thanks.
>
> > Likely a machine on his local network (i.e. behind the same NAT box) is
> > hitting him.
> >
> > But that is not guaranteed.  A packet with a source address of 172.0.x.x
> > could be hitting his machine.  Depends on how well you filter.  Many
> > networks only look at destination IP address, source can be anything -
> > spoofed, un-NAT'ed, etc.  He just wouldn't be able to send anything back
> > to it (unless it was on the local LAN, as I mention above).
> >
> > --
> > TTFN,
> > patrick
> >
> >
> > On Jan 15, 2012, at 2:53 AM, Alex Ryu wrote:
> >
> > > As far as I know, 172.0.1.216 is not assigned, yet.
> > >
> > > whois -h whois.arin.net 172.0.1.216
> > > [whois.arin.net]
> > > #
> > > # Query terms are ambiguous.  The query is assumed to be:
> > > #     "n 172.0.1.216"
> > > #
> > > # Use "?" to get help.
> > > #
> > >
> > > No match found for 172.0.1.216.
> > >
> > >
> > >
> > > #
> > > # ARIN WHOIS data and services are subject to the Terms of Use
> > > # available at: https://www.arin.net/whois_tou.html
> > > #
> > >
> > > Also, when you check BGP routing table, it is not routed at all.
> > >
> > > route-server.as3257.net>sh ip bgp 172.0.1.216
> > > % Network not in table
> > > route-server.as3257.net>
> > >
> > > So it seems like forged IP address.
> > >
> > > Alex
> > >
> > >
> > > On Sun, Jan 15, 2012 at 1:37 AM, Ted Fischer <ted () fred net> wrote:
> > > > Hi all,
> > > >
> > > >   Tearing what's left of my hair out.
> > > >
> > > >   A customer is getting scanned by a host claiming to be "172.0.1.216".
> > > >
> > > >   I know this is bogus, but I want to go back to the customer with as
> > > > much authoritative umph as I can (heaven forbid they just take my
> > > > word).
> > > >
> > > >   I'm pretty sure I read somewhere once that 172/12 was "reserved" or
> > > > something like that.  All I can find now is that 172/8 is "administered
> > > > by
> > > > ARIN".  Lots of information on 172.16/12, but not a peep about
> > > > 172/12.
> > > >
> > > >   If anybody could provide some insight as to the
> > > > allocation/non-allocation of this block, it would be much appreciated.
> > > >
> > > >   Thanks.
> > > >
> > > > Ted Fischer